mirror of
https://github.com/fleetdm/fleet
synced 2026-05-21 16:08:47 +00:00
18f010f228
#20571 ## Summary of changes We have a few moving parts in fleetctl land (`fleetdm/wix` is used to build `msi`s and `fleetdm/bomutils` is used to build `pkg`s, and `fleetdm/fleetctl` can be used to build packages using docker, no need for fleetctl executable): ```mermaid graph LR fleetctl_exec[fleetctl<br>executable]; wix_image[fleetdm/wix<br>docker image]; bomutils_image[fleetdm/bomutils<br>docker image]; fleetctl_image[fleetdm/fleetctl<br>docker image]; fleetctl_exec -- uses --> wix_image; fleetctl_image -- COPY dependencies<br>FROM --> wix_image; fleetctl_exec -- uses --> bomutils_image; fleetctl_image -- COPY dependencies<br>FROM --> bomutils_image; ``` So, we'll need to update the three images: `fleetdm/bomutils`, `fleetdm/wix` & `fleetdm/fleetctl`. - `tools/bomutils-docker/Dockerfile`, `tools/wix-docker/Dockerfile` and `tools/fleetctl-docker/Dockerfile`: Updating the base image to fix the CRITICAL vulnerabilities. - Modified existing+unused `.github/workflows/build-and-check-fleetctl-docker-and-deps.yml` to run every day to check for CRITICAL vulnerabilities in `fleetdm/wix`, `fleetdm/bomutils` and `fleetdm/fleetctl`. - `.github/workflows/goreleaser-fleetctl-docker-deps.yaml`: `fleetdm/bomutils` and `fleetdm/wix` were pushed manually a few years ago (most likely by Zach), so I've added a new action to release them when we have changes to release (like now). It will basically release `fleetctl/bomutils` and `fleetdm/wix` when pushing a tag of the form `fleetctl-docker-deps-*` (we'll need to protect such tag prefix). - Changes in `.github/workflows/test-native-tooling-packaging.yml` to build `fleetdm/bomutils` and `fleetdm/wix` for `fleetdm/fleetctl` to use them instead of the ones in docker hub. -- Build before upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255391418/job/28372231837  Build after upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255550034 - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Manual QA for all new/changed functionality
137 lines
4.8 KiB
YAML
137 lines
4.8 KiB
YAML
# This workflow tests packaging of Fleet-osquery with the
|
|
# `fleetctl package` command. It fetches the targets: orbit,
|
|
# osquery and fleet-desktop from the default (Fleet's) TUF server,
|
|
# https://tuf.fleetctl.com.
|
|
name: Test packaging
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- patch-*
|
|
- prepare-*
|
|
pull_request:
|
|
paths:
|
|
- 'cmd/fleetctl/**.go'
|
|
- 'pkg/**.go'
|
|
- 'server/service/**.go'
|
|
- 'server/context/**.go'
|
|
- 'orbit/**.go'
|
|
- 'ee/fleetctl/**.go'
|
|
- 'tools/fleetctl-docker/**'
|
|
- 'tools/wix-docker/**'
|
|
- 'tools/bomutils-docker/**'
|
|
- '.github/workflows/test-packaging.yml'
|
|
workflow_dispatch: # Manual
|
|
|
|
# This allows a subsequently queued workflow run to interrupt previous runs
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
|
|
cancel-in-progress: true
|
|
|
|
defaults:
|
|
run:
|
|
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
|
|
shell: bash
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
test-packaging:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
# note: in order to test both the wix and the docker flow for msi
|
|
# packages, this worker needs to run on an x86_64 architecture.
|
|
# `macos-latest` uses arm64 by default now, so please be careful when
|
|
# updating this version.
|
|
os: [ubuntu-latest, macos-13]
|
|
go-version: ['${{ vars.GO_VERSION }}']
|
|
runs-on: ${{ matrix.os }}
|
|
|
|
steps:
|
|
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Pull fleetdm/wix
|
|
# Run in background while other steps complete to speed up the workflow
|
|
run: docker pull fleetdm/wix:latest &
|
|
|
|
- name: Pull fleetdm/bomutils
|
|
# Run in background while other steps complete to speed up the workflow
|
|
run: docker pull fleetdm/bomutils:latest &
|
|
|
|
- name: Run Colima
|
|
if: startsWith(matrix.os, 'macos')
|
|
timeout-minutes: 15
|
|
# notes:
|
|
# - docker to install the docker CLI and interact with the Colima
|
|
# container runtime
|
|
# - colima is pre-installed in macos-12 runners, but not in macos-13 or
|
|
# macos-14 runners
|
|
run: |
|
|
brew install docker
|
|
# The runners come with an old version of python@3.12 that fails to upgrade
|
|
# when python gets pulled in as a dep through the chain
|
|
# colima -> lima -> qemu -> glibc -> python@3.12
|
|
# Force upgrade it for now, remove once the problem is fixed
|
|
brew install --overwrite python@3.12
|
|
brew install colima
|
|
colima start --mount $TMPDIR:w
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version: ${{ matrix.go-version }}
|
|
|
|
- name: Checkout Code
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
- name: Install wine and wix
|
|
if: startsWith(matrix.os, 'macos')
|
|
run: |
|
|
./scripts/macos-install-wine.sh -n
|
|
wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip -nv -O wix.zip
|
|
mkdir wix
|
|
unzip wix.zip -d wix
|
|
rm -f wix.zip
|
|
echo wix installed at $(pwd)/wix
|
|
|
|
# It seems faster not to cache Go dependencies
|
|
- name: Install Go Dependencies
|
|
run: make deps-go
|
|
|
|
- name: Build fleetctl
|
|
run: make fleetctl
|
|
|
|
- name: Build DEB
|
|
run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080
|
|
|
|
- name: Build DEB with Fleet Desktop
|
|
run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
|
|
|
|
- name: Build RPM
|
|
run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080
|
|
|
|
- name: Build RPM with Fleet Desktop
|
|
run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
|
|
|
|
- name: Build MSI
|
|
run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080
|
|
|
|
- name: Build MSI with Fleet Desktop
|
|
run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
|
|
|
|
- name: Build PKG
|
|
run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080
|
|
|
|
- name: Build PKG with Fleet Desktop
|
|
run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
|
|
|
|
- name: Build MSI (using local Wix)
|
|
if: startsWith(matrix.os, 'macos')
|
|
run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop --local-wix-dir ./wix
|